top of page

CareBot by Time AI Privacy Policy

​Last Updated: March 22, 2025

​

Time AI (“the Company”, “We”, “Us”) is committed to protecting the privacy and security of data processed by CareBot by Time AI (“CareBot”), our AI agent designed to support clinic operations and customer relationship management (CRM) for healthcare providers. This Privacy Policy explains how we collect, use, store, transfer, and delete data—including Protected Health Information (“PHI”)—when you (the Buyer, Doctor, or Clinic Director) use our Service. This policy is directed exclusively to our business clients and does not apply to individual patient data provided directly to your clinic. All data handling practices are designed to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) and other applicable privacy and security regulations.

​

 

1. Interpretation and Definitions

 

1.1. Interpretation

Unless the context otherwise requires, the following rules of interpretation shall apply in this Privacy Policy:

  • Headings and Captions: Headings and subheadings are provided solely for convenience and shall not affect the interpretation of this Privacy Policy.

  • Singular and Plural: The singular includes the plural and vice versa.

  • References to Statutes and Regulations: References to any statute or regulation include all amendments, modifications, and re-enactments thereof.

  • Use of Terms “Include” and “Including”: The terms “include” and “including” are descriptive and shall not be construed as limiting.

  • Conflict of Provisions: In the event of any inconsistency between this Privacy Policy and applicable law—including HIPAA and its implementing regulations—the applicable law shall prevail.

  • Definitions: Capitalized terms not otherwise defined in this section shall have the meanings assigned to them in applicable federal law and regulations.

 

1.2. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

  • “Account”
    A unique user account created for an individual or legal entity (“You”) to access and use the CareBot Service.

  • “Affiliate”
    Any entity that directly or indirectly controls, is controlled by, or is under common control with the Company, where “control” means ownership of more than 50% of the voting securities or the right to otherwise direct the management or policies of the entity.

  • “Application” or “CareBot”
    The healthcare application provided by Time AI that delivers healthcare-related interactions, information, and services to support clinic operations and CRM. CareBot is designed and maintained to comply with HIPAA and all applicable privacy and security laws.

  • “Business Associate”
    Any person or entity, other than a member of the workforce of a Covered Entity, that performs functions or activities on behalf of, or provides services to, a Covered Entity that involve the use or disclosure of PHI. When CareBot processes PHI on behalf of a Covered Entity, Time AI shall be deemed a Business Associate and will adhere to all applicable HIPAA requirements.

  • “Covered Entity”
    A healthcare provider that transmits any health information electronically in connection with a HIPAA transaction, a health plan, or a healthcare clearinghouse. Although Time AI itself is not a Covered Entity, if CareBot processes PHI on behalf of a Covered Entity, we operate as a Business Associate.

  • “AWS Environment”
    The secure cloud hosting platform provided by Amazon Web Services on which CareBot operates, subject to AWS’s compliance certifications and robust security controls.

  • “WhatsApp Business Integration”
    The integration with WhatsApp Business that facilitates secure, encrypted communications between CareBot and your clinic staff, ensuring that all transmitted data is handled in a HIPAA-compliant manner.

  • “EMR Integration”
    The interface by which CareBot connects with your existing electronic medical record systems and clinic management systems, allowing the secure transfer and processing of PHI.

  • “Encryption”
    A security measure that transforms data into an unreadable format for unauthorized users. For PHI, encryption standards such as Advanced Encryption Standard (AES) 256-bit for data at rest and Transport Layer Security (TLS) for data in transit are employed.

  • “HIPAA”
    The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, including the HIPAA Privacy Rule (45 CFR Parts 160 and 164) and the HIPAA Security Rule.

  • “Personal Data”
    Any information relating to an identified or identifiable natural person. In the context of CareBot, this includes both general personal data and PHI.

  • “PHI (Protected Health Information)”
    Individually identifiable health information that is created, received, maintained, or transmitted by a Covered Entity or Business Associate. PHI includes information related to an individual’s health condition, the provision of healthcare, or payment for healthcare, excluding data that has been de-identified in accordance with HIPAA standards.

  • “Service”
    Refers to the CareBot application and any related services provided by Time AI through our website, WhatsApp Business, and integrations with EMRs and other management systems.

  • “Service Provider”
    Any third party that processes Personal Data or PHI on behalf of the Company. Such Service Providers are contractually obligated to implement appropriate safeguards to ensure compliance with HIPAA and this Privacy Policy.

  • “Usage Data”
    Data that is automatically collected from the use of the Service, including, but not limited to, IP addresses, browser type and version, pages visited, time and date of access, and other diagnostic data.

  • “Cookies”
    Small text files placed on your device by the Service that store information related to your usage. “Cookies” include any similar tracking technologies or identifiers.

  • “Data De-Identification”
    The process by which PHI is rendered no longer identifiable to an individual, using either the removal of 18 specific identifiers (Safe Harbor method) or through a methodology determined by a qualified expert (Expert Determination) that minimizes re-identification risk.

  • “Risk Assessment”
    A systematic evaluation to identify and assess vulnerabilities in the safeguarding of PHI, including the likelihood and impact of a breach, and to implement appropriate mitigation measures.

  • “Audit Log”
    A record of system activity that documents access to or modifications of PHI, maintained to facilitate monitoring, review, and compliance with HIPAA requirements.

 

 

 

2. Data We Collect

To deliver healthcare operations and CRM support via CareBot, we collect various types of data from your clinic and associated systems. The data is collected and processed in accordance with HIPAA and is segregated to ensure that PHI is handled with the highest standards of confidentiality and security.

 

2.1. Personal Data

When you register for and use CareBot, we may collect the following Personal Data:

  • Contact Information:

    • First name and last name

    • Email address

    • Phone number

  • Account Credentials:

    • Username and password, along with any two-factor authentication data that you choose to provide.

This data is collected solely for account management, communication regarding the Service, and verifying your identity for access purposes. It is used strictly to support your clinic’s operations.

 

2.2. Protected Health Information (PHI)

For healthcare features within CareBot, we may collect PHI in accordance with HIPAA. PHI includes, but is not limited to:

  • Health Data Provided by Your Clinic:

    • Health symptoms, conditions, and diagnoses

    • Medical history, including medications and treatments

    • Appointment details, healthcare provider information, and facility data

    • Responses to health-related assessments and questionnaires

  • Data Input During Healthcare Interactions:

    • Information shared during CareBot interactions that relates to patient care, treatment, or clinical operations (transferred from integrated EMRs and management systems)

  • Other Sensitive Health Information:

    • Any additional information voluntarily provided that is directly related to healthcare operations.

PHI is collected only when necessary for CareBot’s healthcare-related functions. All PHI is segregated, encrypted, and processed in strict compliance with HIPAA’s Privacy and Security Rules. When PHI is processed, de-identification or anonymization methods (Safe Harbor or Expert Determination) are applied when appropriate.

 

2.3. Usage Data

To optimize and secure our Service, we automatically collect Usage Data, which may include:

  • Technical Information:

    • Device IP address

    • Browser type and version

    • Operating system and device identifiers

  • Interaction Details:

    • The pages or features of CareBot that you interact with

    • Date and time stamps of interactions

    • Session duration and frequency of visits

  • Diagnostic Data:

    • Log files and error reports generated during Service use

Usage Data enables us to monitor system performance, diagnose issues, and enhance overall functionality while ensuring PHI remains protected.

2.4. Tracking Technologies and Cookies

CareBot employs tracking technologies to improve user experience and analyze usage patterns. These include:

  • Cookies:
    Small text files stored on your device to remember your preferences and session details.

  • Web Beacons and Pixel Tags:
    Tiny graphics or scripts that track user interactions and Service performance.​

 

 

3. Use of Your Personal Data

CareBot uses the Personal Data and PHI collected from your clinic solely to provide, secure, and improve our healthcare operations and CRM services in compliance with HIPAA.

 

3.1. Provision and Delivery of Healthcare Services

  • Healthcare Operations:
    PHI is used to facilitate healthcare interactions, deliver personalized clinical information and recommendations, and support clinical decision-making.

  • Treatment and Care Coordination:
    PHI is utilized to assist in diagnosing, treating, and coordinating patient care, in accordance with HIPAA’s definitions of treatment, payment, and healthcare operations.

  • Appointment Scheduling and Communication:
    Personal Data is used to schedule and manage appointments, send reminders, and communicate with you regarding clinic operations.

 

3.2. Account Management and Personalization

  • Account Maintenance:
    Your Personal Data, such as name, email address, and phone number, is used to manage and secure your account, including through authentication and two-factor authentication processes.

  • Personalization:
    Interactions with CareBot are analyzed to tailor the Service to your clinic’s needs. This personalization uses aggregated and anonymized data, with any PHI processed under strict HIPAA safeguards.

 

3.3. Administrative, Security, and Compliance Purposes

  • System Administration:
    Data is used for internal administration, including maintaining audit logs, conducting risk assessments, and monitoring system performance.

  • Security Measures:
    We implement technical, physical, and administrative safeguards (e.g., encryption, role-based access controls) in compliance with HIPAA.

  • Regulatory Compliance:
    Data is used to fulfill legal obligations, respond to public authority requests, resolve disputes, and ensure adherence to HIPAA and applicable regulations.

  • Incident Response:
    In the event of a data breach, audit logs and other data support investigation, remediation, and notification procedures.

 

3.4. Communication and Customer Support

  • Direct Communication:
    Data is used to communicate service updates, security alerts, policy changes, and responses to support inquiries via email, SMS, or push notifications.

  • Healthcare-Related Updates:
    PHI may be used to send tailored updates regarding patient care operations and changes in clinic management.

 

3.5. Data Analysis, Research, and Service Improvement

  • Service Optimization:
    Aggregated and de-identified Usage Data is analyzed to improve Service functionality, usability, and performance.

  • Quality Improvement:
    Data is used to evaluate and enhance healthcare service offerings, optimize clinical decision support, and improve system reliability.

  • Research Purposes:
    With explicit consent, de-identified or aggregated data may be used for research and development to advance healthcare outcomes, adhering to HIPAA de-identification standards or conducted under a valid BAA.

 

3.6. Business Operations and Transactions

  • Business Transfers:
    In events such as mergers or acquisitions, your data may be transferred to a new entity, which will be required to uphold the same data protection and HIPAA standards.

  • Third-Party Service Providers:
    Data may be shared with third-party Service Providers who assist with delivering, maintaining, and improving CareBot. These providers are contractually bound to implement HIPAA-equivalent safeguards.

3.7. Other Purposes

  • Consent-Based Uses:
    For any data use not outlined above, explicit consent will be obtained in compliance with applicable laws and HIPAA guidelines.

  • Additional Uses:
    Any additional use of your data will be disclosed in advance and will align with the original purposes of data collection or be based on further consent.

 

 

4. HIPAA Compliance for CareBot by Time AI

CareBot is designed and maintained to comply with HIPAA and its implementing regulations.

4

.1. Explicit HIPAA Compliance Commitment

  • Compliance Statement:
    CareBot is engineered to adhere to all applicable HIPAA requirements, ensuring the confidentiality, integrity, and availability of PHI throughout its lifecycle.

  • Scope:
    Although Time AI is not a Covered Entity, when processing PHI on behalf of a Covered Entity, CareBot functions as a Business Associate, fully implementing all HIPAA Business Associate requirements.

 

4.2. PHI Handling and Segregation

  • Definition and Collection:
    PHI includes individually identifiable health information related to patient care and clinic operations. PHI is collected only when necessary and is segregated from non-health-related data.

  • Processing and Storage:
    PHI is processed solely for treatment, healthcare operations, and other permitted purposes. It is stored in secure environments within our AWS Environment, physically and logically segregated from other data.

 

4.3. Technical Safeguards

  • Encryption:
    PHI is encrypted at rest using [AES-256 or equivalent] and in transit via [TLS 1.2/1.3 or equivalent] protocols.

  • Access Controls:
    Role-based access and multi-factor authentication (MFA) ensure that only authorized personnel access PHI.

  • Audit Logging and Monitoring:
    Comprehensive audit logs track all access and modifications to PHI. Continuous monitoring systems are in place to detect and respond to unauthorized activity.

  • Data De-Identification:
    PHI is de-identified using HIPAA-compliant Safe Harbor or Expert Determination methods when appropriate.

 

4.4. Administrative and Physical Safeguards

  • Administrative Safeguards:

    • A designated HIPAA Compliance Officer oversees our compliance program.

    • Regular risk assessments and internal audits are conducted annually.

    • Mandatory workforce training on HIPAA and data privacy is provided.

  • Physical Safeguards:

    • Physical access to data centers in the AWS Environment is strictly controlled.

    • Security measures (access badges, biometric verification, surveillance) are in place at facilities hosting PHI.

 

4.5. Breach Notification Procedures

  • Incident Response:
    In the event of a PHI breach, an incident response plan is enacted to contain, investigate, and remediate the breach.

  • Notification:
    Affected parties, HHS, and, if required, the media will be notified within [60 days] of breach discovery.

  • Documentation:
    All incidents and corrective actions are documented and retained per HIPAA requirements.

 

4.6. Business Associate Agreements (BAA)

  • BAA Commitment:
    When CareBot processes PHI on behalf of a Covered Entity, Time AI enters into BAAs that delineate responsibilities for protecting PHI.

  • Third-Party Service Providers:
    All external Service Providers are contractually required to implement HIPAA-equivalent safeguards.

 

4.7. Patient Rights Under HIPAA

  • Access, Amendment, and Accounting:
    Clients have rights to access, request amendments, and receive an accounting of disclosures of PHI processed by CareBot.

  • Restrictions and Consent:
    Clients may request restrictions on PHI usage or disclosure, with any non-standard use requiring explicit, informed consent.

  • Designated Contact:
    All PHI rights requests should be directed to our HIPAA Compliance Officer at [Insert Contact Information].

 

4.8. Ongoing Compliance and Policy Updates

  • Regular Reviews:
    Our HIPAA compliance framework is reviewed at least annually to address technological or regulatory changes.

  • Continuous Improvement:
    We commit to prompt implementation of any required changes based on internal audits, external assessments, or updated regulatory guidance.

 

 

5. Data Retention and Deletion

CareBot manages Personal Data and PHI in full compliance with HIPAA and applicable state laws.

 

5.1. Data Retention

  • HIPAA Compliance:
    Documentation related to HIPAA compliance (e.g., policies, procedures, training records) is retained for a minimum of six years from creation or last effective date.

  • State Law Considerations:
    We comply with state-specific retention laws, retaining medical records for [six/seven] years or longer, as required.

  • Business Records:
    Records such as Notices of Privacy Practices and PHI disclosure authorizations are maintained in accordance with HIPAA requirements.

 

5.2. Data Deletion

  • Secure Disposal Methods:
    We employ methods such as:

    • Clearing: Overwriting media with non-sensitive data using approved software/hardware.

    • Purging: Degaussing to disrupt recorded data.

    • Destroying: Physically shredding, incinerating, or pulverizing media.

  • Electronic Data:
    Electronic PHI is sanitized following industry guidelines to ensure irretrievability.

  • Third-Party Vendors:
    Vendors involved in data disposal are contractually obligated to adhere to HIPAA data destruction standards.

  • Documentation:
    All disposal activities are documented, including dates, methods, and responsible personnel.

 

5.3. Individual Rights

  • Access and Deletion Requests:
    Clients have the right to request access to and deletion of their data, subject to legal retention requirements.

  • Process for Requests:
    Requests should be submitted in writing to our HIPAA Compliance Officer at omar@timaisolutions.com.

5

.4. Policy Review

  • Regular Review:
    This Data Retention and Deletion policy is reviewed annually.

  • Updates:
    Changes are communicated via [email notifications/website updates].

 

 

6. Data Transfers

CareBot is committed to ensuring that all data transfers are executed in compliance with HIPAA and other applicable regulations.

 

6.1. Internal Data Transfers

  • Access Controls:
    Only authorized personnel may access and transfer PHI within our AWS Environment. Role-based access ensures that employees access only the data necessary for their functions.

  • Encryption:
    Internal transfers of PHI are encrypted using industry-standard protocols.

  • Monitoring and Auditing:
    All internal data transfers are continuously monitored and audited for unauthorized access.

 

6.2. External Data Transfers

  • Secure Transfer Protocols:
    PHI transmitted externally—such as through our WhatsApp Business Integration or between EMRs and CareBot—utilizes secure protocols like SFTP.

  • Business Associate Agreements (BAAs):
    Prior to external transfers, BAAs are established with all partners and Service Providers to ensure HIPAA compliance.

  • Encryption:
    External transfers are secured by robust encryption to protect PHI during transit.

 

6.3. International Data Transfers

  • Compliance with Applicable Laws:
    International transfers of PHI comply with HIPAA and relevant international data protection laws.

  • Data Transfer Agreements:
    When PHI is transferred internationally, we implement data transfer agreements ensuring equivalent protection.

 

6.4. Employee Training

  • Training Programs:
    Employees are regularly trained on our data transfer policies and HIPAA requirements.

  • Confidentiality Agreements:
    All employees involved in data transfers sign confidentiality agreements.

6.5. Incident Response

  • Breach Notification Procedures:
    In the event of a breach during data transfer, our incident response plan is activated to notify affected parties and regulatory authorities.

  • Mitigation Measures:
    Steps are taken to mitigate any harm and prevent future breaches.

6.6. Policy Review and Updates

  • Regular Reviews:
    Our data transfer policies are reviewed regularly to ensure ongoing HIPAA compliance.

  • Stakeholder Communication:
    Policy changes are promptly communicated to stakeholders.

 

 

7. Your Rights and How to Exercise Them

As a healthcare provider (Client, Doctor, or Clinic Director) utilizing CareBot for clinic operations and CRM, you have specific rights regarding the handling of data, including PHI. These rights are designed to ensure compliance with HIPAA and applicable privacy laws.

 

7.1. Right to Access and Obtain Copies of PHI

  • Description:
    You have the right to access and obtain copies of PHI processed by CareBot on behalf of your clinic, including data received from integrated EMRs and WhatsApp Business communications.

  • How to Exercise:
    Submit a written request to our customer support Email provided in the web application. We will provide the requested information within 10 days.

 

7.2. Right to Amend PHI

  • Description:
    If you believe that the PHI processed by CareBot is inaccurate or incomplete, you have the right to request an amendment.

  • How to Exercise:
    Submit a written request detailing the specific information to be amended and the reason for the amendment to omar@timaisolutions.com. We will respond within 10 days.

 

7.3. Right to an Accounting of Disclosures

  • Description:
    You have the right to receive an accounting of disclosures of PHI processed by CareBot, excluding those for treatment, payment, and healthcare operations.

  • How to Exercise:
    Submit a written request to omar@timaisolutions.com. We will provide the accounting within 10 days, covering disclosures made in the six years prior to the request.

 

7.4. Right to Request Restrictions

  • Description:
    You may request restrictions on the use or disclosure of PHI. Although CareBot is not required to agree to these restrictions, we will consider all reasonable requests.

  • How to Exercise:
    Submit a written request specifying the desired restrictions to omar@timaisolutions.com. We will notify you of our decision within 10 days.

 

7.5. Right to Confidential Communications

  • Description:
    You have the right to request that communications involving PHI be conducted through alternative means or at alternative locations to ensure confidentiality.

  • How to Exercise:
    Submit a written request specifying your preferred method or location for confidential communications to omar@timaisolutions.com. We will accommodate reasonable requests in accordance with HIPAA.

 

7.6. Right to Lodge a Complaint

  • Description:
    If you believe your privacy rights have been violated, you have the right to file a complaint with CareBot or directly with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights.

  • How to Exercise:
    To file a complaint with CareBot, submit a written statement detailing the alleged violation to omar@timaisolutions.com. Alternatively, to file a complaint with HHS, visit https://www.hhs.gov/civil-rights/filing-a-complaint/index.html.

 

7.7. No Retaliation

  • Description:
    CareBot will not retaliate against you for exercising any of your rights or for filing a complaint regarding the handling of PHI.

 

 

 

8. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Any changes that impact our HIPAA compliance or the handling of PHI will be communicated to you via email or prominent notice on the Service before they become effective. The “Last Updated” date at the top of this policy reflects the most recent changes.

 

 

9. Contact Us

If you have any questions or concerns regarding this Privacy Policy, our HIPAA compliance efforts, or the handling of PHI by CareBot, please contact us at:

bottom of page